Cards Hack Astros: 9 Innings of Idiocy

Slack AliceSlogger, Infosecurity Magazine

The FBI is looking into the whether or not the front office for the St. Louis Cardinals hacked into the internal networks of the Houston Astros, including the baseball club’s “closely guarded” special databases of trades, proprietary statistics and scouting reports.

Not so closely-guarded, it must be said. From a cyber-perspective, no one was exactly swinging for the fences on this one. In fact, the details of this are a breathtaking litany of idiocy when it comes to preparedness and execution.

For one, supposedly, angry Cardinals execs were suspicious that former GM Jeff Lunhow—a polarizing figure at the club—took proprietary baseball information with him when he moved to the Astros.

Under Lunhow, the Cardinals built a proprietary database, dubbed Redbird, for storing all sorts of important baseball operations data, including scouting reports and player information. After he left to join the Astros, he embarked on a similar project, charmingly called Ground Control.

It contained the Astros’ “collective baseball knowledge.”

But from there this story blasts off into almost comic-dunce territory. To break into Mission Control, Cards personnel simply examined a list of passwords Lunhow used while in Missouri and tried them out. Guess what? They worked.

Come on, folks, Joe DiMaggio’s not making it rain anymore, and using the same password wherever one goes isn’t going to cut it in this day and age (was it LunhowRocks101? PasswordLunhow? We’d love to know).

No two-factor authentication? No complex, changing password requirements? In a sport that builds half of its momentum on team rivalries, this all seems breathtakingly dumb.

But it gets worse. The Astros had no idea that the database was compromised—until someone in the Cardinals organization decided to crow about the success of the, err, fact-finding mission, posting the lifted documents on Anonbin.

Even worse, the person who launched the “attack,” if you want to call it that, did so from….drumroll please…their house. Their home computer. Which, once alerted to the Anonbin posting, of course made it very easy for FBI to track them down.

All nine innings of this saga are filled with security strike-outs, suffice it to say.

“Part of the problem is that the Astros, like many large enterprises in other industries, had their ‘crown jewel’ database built in-house,” Fortscale CEO Idan Tendler, told us. “This means the application is highly customized, so there are no off-the-shelf solutions to monitor who is accessing the information and what they’re doing with it. Visibility into these applications is very difficult, yet they are often the most crucial ones in the whole enterprise.”

Furthermore, it’s difficult to spot the malicious insider activity in a bespoke world.

“Companies either don’t have the context of the activity being monitored or the alerts go unnoticed because of all the ‘noise’ of data and lack of prioritization,” Tendler said. “Proper user behavior analysis needs to be established in order to extract ‘abnormal’ activity from normal.”